On Tue, Jun 19, 2012 at 5:20 PM, Vincent Massol <vincent(a)massol.net> wrote:
On Jun 19, 2012, at 3:16 PM, Jerome Velociter wrote:
On Tue, Jun 19, 2012 at 2:58 PM, David Delbecq
<david.delbecq(a)meteo.be
wrote:
> Hello,
>
>
> unfortunately, we don't have any explicit sso service currently running.
> In the past, we simply asked the container (tomcat) to manage
> authentication of users for all our webapplication and we followed
tomcat
> directions on how to share principal for all
applications (
>
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Single_Sign_On_Va…
).
> This works well when all application use
container authentication and
the
> only client is the user's web browser.
Unfortunately, things will
change as
> we will base our intranet on xwiki instead of
having separate spread
> applications the user needs to connect to. This mean the web server (now
> jboss) will be the http client of all other services, and thus realm
based
> sso won't work. For some of those service
we use generic technical
account,
> so no problem, we just store the password.
But for some other, we must
> transmit the user / password of current xwiki user so xwiki is seen by
this
> service as this user.
>
> And none of those behind the scene applications were ever configured to
> use kerberos or anything alike. Moreover, i would like to avoid the
> nightmare of maintaining such a service when simply forwaring user /
pass
to next
service would solve my problems :)
Storing plain-text user password is never a good idea, be it on the
database, filesystem or in memory.
If you store passwords in the session, some XWiki applications could read
them, someone in your organization with programming access level can
access
them, a hacker that escalate to have access to
the machine or to
programming rights in the application can read them, etc.
yep I confirm that it's definitely a no go from a security point of view.
The first rule of security is that nobody should ever be able to get
access to the password in clear.
Yes, and that even if the application does not require strong
authentication. You are protecting an application, but also, and moreover,
you are protecting the passwords. If for some reason you are storing plain
text password, users must be aware of that so that they can pick a password
with no value. This is what mailman does when you subscribe to a mailing
list, see for example :
http://lists.xwiki.org/mailman/listinfo/users
For your use case, if your "behind the scenes" applications do not require
strong authentication, you are better off with no authentication at all
than with clear text users passwords, especially if those are the LDAP/SSO
passwords of your organization users.
Jerome
Even encrypted is not always enough, see what happend
with linkedin who
had sha-ed passwords but with no salt… ;)
Thanks
-Vincent
Jerome
>
> Regards,
> David Delbecq
>
> ----- Mail original -----
>
> De: "Guillaume Lerouge" <guillaume(a)xwiki.com>
> À: "XWiki Developers" <devs(a)xwiki.org>
> Envoyé: Mardi 19 Juin 2012 14:40:16
> Objet: Re: [xwiki-devs] Access password of current user
>
> Hi David,
>
> which SSO service dou you use internally? XWiki authenticators already
> exist for CAS, Kerberos and NTLM, maybe you could draw inspiration from
> them.
>
> Guillaume
>
> On Tue, Jun 19, 2012 at 1:54 PM, David Delbecq <david.delbecq(a)meteo.be
>> wrote:
>
>>
>> Hello,
>>
>> I was hoping that somehow, when submitted via the form, password gets
>> recorded until the end of the session. We can't afford, for the sake of
>> user experience, to ask password every time user need to access a
hidden
>> system he is not even supposed to know is
separate from the wiki.
That's
>> why we are writing some macro /
components so that it's xwiki that
access
>> those system for him. This include
various webservices, a documents
> storage
>> and so on. We try to keep a single sign on policy. Of course, i don't
> want
>> user password stored anywhere on disks, but keeping it in user session
>> seems a good trade-of for me.
>>
>> I plan thus to create my onw xwikiauthservice that delegates to ldap
>> service and store this in user session.
>>
>>
>> ----- Mail original -----
>>
>> De: "Jerome Velociter" <jerome(a)winesquare.net>
>> À: "XWiki Developers" <devs(a)xwiki.org>
>> Envoyé: Mardi 19 Juin 2012 11:53:42
>> Objet: Re: [xwiki-devs] Access password of current user
>>
>> Hi,
>>
>> Fortunately, you can't. You can only access/verify a hashed version of
>> the password.
>>
>> Note that asking for a password again is not necessarily a bad UX,
>> especially if it is to allow access to a sensitive area/operation.
>>
>> Cheers,
>> Jerome.
>>
>> On Tue, Jun 19, 2012 at 11:39 AM, David Delbecq <
david.delbecq(a)meteo.be>
>> wrote:
>>>
>>> Hello,
>>>
>>> i am writing a component that need a password. Because this password
>> will be the same for current user as the one he used to log-in, it
would
>> make for crappy interface ot ask it again
to user. So i need to know
how
> my
>> component or a groovy script can access the username / password of
> current
>> logged-in user.
>>>
>>> Thank you.
>>>
>>>
>>> David Delbecq
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Jérôme Velociter
Winesquare
http://www.winesquare.net/